Roadmap to the GDPR: The Extraterritorial Reach of the GDPR,

Tuesday, January 24, 2017

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Today’s Speakers

David KeatingCo-Chair,Privacy & DataSecurity Practice

Moderator

Peter SwireSenior Counsel, AtlantaAlston & Bird

Jan DhontChair,EU Privacy & DataSecurity Practice

Parker MillerPartner,Technology & Telecommunications Litigation

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3

Agenda

Introduction

The new regime in perspective

Discussion | Practical Impact & Enforcement Risks

Q&A

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4

The Current Regime

Framework Directive applies to:

Controllers in the EU, regardless of physical location of processing (Art. 4(1)(a) Dir.)

Controller outside the EU, making use of “equipment” in the EU (Art. 4 (1)(c ) Dir.) Rationale: prevent companies from positioning business seat outside EU to avoid Directive

In Practice: broad interpretation / nationality of data subjects is irrelevant

Examples: cloud-vendor in the EU, tracking devices deployed in the EU (cookies, Javascript banners, etc.), EU-based CROs for pharma research. Potential competitive disadvantage for EU-based vendors!

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5

The Current Regime

Extra-territorial application:

In theory, non-EU based controller must comply with ALL requirements of the Directive

In practice,

“Mission Impossible” - Requirements differ between EU Member States

Often just compliance with data transfer requirements / appointment of a representative (at best)

Working Party: “the criterion of Article 4(1)(c ) results in the principles of the Directive being applicable to the controller as such, for all the stages of the processing, even those taking place in a third country.” (Advice 8/2010).

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6

GDPR Regime | Territorial Application

The GDPR applies to processing “in the context of activities of an establishment” of a controller or a processor in the EU, regardless of physical location of processing (Art. 3 (1) GDPR) Controller or processor must be located in the EU

Establishment can be a subsidiary or a branch (legal form is irrelevant) / “Effective and real exercise of activity through stable arrangements”

Nationality of data subjects is irrelevant

Examples:- HR processing by Luxembourg-based subsidiary of a UK company- Belgian and Luxembourg branch offices of a company established in France- Swedish-based subsidiary of a Brussels-based data processor stores data in the US

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7

GDPR Regime | Extraterritorial Application

The GDPR applies to controllers and processors outside the EU that process personal data in connection with (Art. 3 (2) GDPR):

The offering of goods or services to individuals in the EU

- Offering must be intended, not coincidental

- Language (Weltimmo C-230/14) and currency are important indicators

- B2C / B2B ?

- Irrespective of payment by individual

Monitoring of behavior of individuals in the EU

- All types of internet tracking and profiling (recital 24)

- Arguably, “active tracking” required

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8

The New Regime Applied

Framework Directive GDPR

US Controller using a cloud provider in the EU for data warehousing purposes

YES – use of equipment in the EU NO – however, cloud vendor is directly liable

US Controller placing tracking technology on hard-drives in the EU

YES – use of equipment in the EU YES – considered monitoring of behavior in the EU

US Controller targeting EU customers via website (sales in EURO)

NO – unless site hosted in the EU/using equipment in EU

YES

US Controller using US based vendor to build profiles on EU data subjects

NO – unless controller uses equipment in EU

NO – unless tracking technology used to monitor EU data subjects

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9

Representative

Requirement (Art. 27 GDPR) Applies to Controllers or Processors outside EU

Unless processing is occasional and not large scale processing of sensitive data and unlikely to result in risk (association to risk)

Appointment in writing

Only one representative required

Legal / natural person established in the EU

In EU member state where data subjects are located

- In case of extra-territoriality, companies cannot benefit from one-stop-shop mechanism

- Appointment representative does not exempt controller/processor to appoint a DPO

Tasks & Liability

Interface with SA and data subjects (representative must be identified in notices)

Record-keeping (Art. 30 GDPR) and cooperate in SA investigations (Art. 58 GDPR)

Liability of representative remains unclear, but does not create immunity for controller or processor

“[S]hould be subject to enforcement proceedings”

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10

Jurisdiction Supervisory Authorities and Enforcement

SAs only have competence within their country (territoriality principle)

SAs may take action against EU-based representative (Recital 80) and not against the controller/processor in third country, BUT SAs may order suspension of data flows, for instance, by local telecoms providers

Representatives may be sued and held accountable – market will require non-EU controller/processor to accept liability

Companies may just decide to cooperate to mitigate reputational risk

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11

Jurisdiction Supervisory Authorities and Enforcement

Data subjects / consumer organizations may bring proceedings in national courts where data subject has habitual residence (Arts. 79 and 80 GDPR)

Civil/Criminal court rulings require execution in the U.S.

Obtain local DPA/court findings for use in proceedings overseas

Non-EU based controllers / processors may nonetheless appear in court, for instance, to avoid unwanted results

In case of “inappropriate” SA decision, companies may sue SAs before the national courts (Art. 78 GDPR)

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12

Discussion | Practical Impact & Enforcement Risks

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13

Case Studies

Does the GDPR apply and why? How can companies manage associated risks?

A US company sends employees to the EU on an ad-hoc basis, to make calls or for other activities

EU data subjects visit the US corporate website and occasionally buy products

A US company operates predominantly outside of the EU, but may have a parent, sub, affiliate or joint venture that does business in the EU

A US company has (independent) contracting relationships with businesses that operate in the EU. The company’s employees and activities are in the US.

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14

Case Studies

If a SA commences an enforcement action against a US-based company, what are the jurisdictional defenses available to the company if it has no assets or employees in the EU?

If the SA levies a fine, would it be enforceable in the US?

Any different if an EU court enters a judgment against the US-based company?

How, if at all, does the possibility of private rights of action under the GDPR affect the analysis?

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15

Case Studies

Suppose the company is primarily in the US, but with some of the business connections just discussed (employees, customers, corporate relationships, contracts) in the EU. What is the risk of enforcement action by the SA?

What realistically might trigger an enforcement action?

Is it safe for the company to “hide in the weeds” and assume that the SA will not enforce?

What are the risks associated with this strategy?

How does the answer change if the company does significant business in the EU, but is not a high-profile company that SAs are known to be monitoring/targeting?

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16

Questions and Answers